The
Internal Audit Department is responsible for reviewing and
investigating
allegations of misuse involving University employees or property. We share this
responsibility with entities
such as UNC’s Office of Human Resources and Public Safety Department,
the
Office of the State Auditor, and the State Bureau of Investigation.

Internal Audit Policy 2.3 of the Internal Audit Policies and Procedures
requires management to notify the University Police and the Internal
Audit
Department if they have reason to believe that public property or funds
may
have been damaged, lost, or misused.
Suspected misuse can be reported anonymously to Internal
Audit,
the
University Police, or the State Auditor’s Hotline.

Under
NCGS §114-15.1, misuse or other losses of funds must be reported to the
State
Bureau of Investigation. The
Assistant
to the Chancellor and Senior Legal Counsel submits these reports to the
SBI on
behalf of the University after being notified by University management,
the
Campus Police, or the Internal Audit Department.

Response to Reports of Misuse

Our response to allegations of misuse will depend on how the
information
is communicated to us.

If we are
notified by management, Human Resources,
Campus Police, Office of the State Auditor, or the SBI, we should
obtain basic
information about the situation and, if necessary, arrange a time to
meet to
discuss the situation. If
the notice
comes from a member of management, we should advise the individual of
the need
to report the situation to the Office of University Counsel. If we do not receive a
copy of the related
misuse report in a few days, we should contact the Office of University
Counsel
to determine if they have been notified of the possible misuse. If not, we should complete
a misuse report
form and send it to the Legal Office to be filed with the SBI.

If we are
notified anonymously or by someone other
than a member of University management, we should obtain as much
information as
possible from the individual making the compliant.
At minimum, we need to identify the nature of the caller’s
concerns, the area where the potential misuse has occurred or the names
of
individual believed to be involved, and obtain copies of any
documentation that
may be available. Any
staff member who
learns of a possible misuse in this manner should notify the Internal
Audit
Director who will complete a misuse form and
forward the form to the Legal Office to be filed.

Internal Audit
receives a
copy of all misuse reports that have
been submitted to the SBI. These
are
assigned a case number and logged by the Audit Assistant. The Director reviews each
report and
determines whether or not Internal Audit needs to investigate the
issues
identified in the report. We
will
generally
limit our investigations to situations involving loss or misuse of
funds or
other types of misuse that may have occurred due to a breakdown in controls.

Regardless
of the source of the complaint, we will
conduct an initial review to determine whether the allegations have
merit and
what steps are needed to investigate and resolve the issues raised in
the
complaint. While
all allegations should
be given careful consideration and treated seriously, it is important
to
remember these claims are unsubstantiated unless, and until,
corroborating
evidence is obtained.

Investigative Procedures

The
goals of
investigations of
potential misuse are to determine if the allegations of misuse are
valid, then
to identify control weaknesses or breakdowns in procedure that allowed
the
situation and any related problems to occur, determine the extent of
any loss,
and recommend corrective action to prevent the situation from recurring.

The
type of
investigative
procedures used will depend on the nature of the potential misuse and
the
results of the preliminary review.
The
investigation may stop with the preliminary review if that shows the
allegations are not valid or if the issues are minor and can be
resolved
through meetings with management of the area involved.
If the allegations are found to be valid,
the investigation may involve complex analyses of processes, reviews of
access
capabilities, and extensive tests of records.
There may be a need to extend the review into areas and
activities not
identified in the initial complaint.
An
auditor performing a misuse investigation must exercise considerable
judgment
in selecting the type and extent of procedures to be performed.

The
two most
important steps in
the investigative process are determining whether the allegations are
likely to
be valid and identifying control weaknesses that allowed any misuse to
occur. If
allegations are clearly invalid,
there is
no need to perform extensive work to investigate them.
We need to understand how a loss occurred
and what weaknesses are involved in order to know what we should
investigate
and how.

Investigations
of
potential
misuse must be conducted in a confidential manner and with respect for
the
rights of the individuals involved.
Whenever possible, Internal Audit will notify appropriate
members of
management prior to beginning an investigation.
Advance
notice may not be possible in rare situations when even a
small delay could allow additional funds to be lost or records
destroyed. In these
situations, Internal
Audit will
notify management as soon as possible after the investigation begins. If allegations involve
possible misuse by
management of an area, Audit will coordinate any investigation through
an
organizational level to which this area reports.

If
an investigation
reveals a
potential violation of any federal, state, or local law, we will
consult with
the Office of University Counsel for guidance.
If appropriate, we will also obtain guidance from the
Campus
Police or
the SBI.

Working Paper Documentation and
Communicating Results

The
process of
conducting and
reporting the results of a misuse investigation is similar to the
process
followed for a routine audit. However,
the working papers will follow a different format as will
correspondence used
to communicate the results of investigation.
Refer to the Standard Workingpaper Format for Misuse Investigations.

Extreme
care must be
taken to
ensure that information in any documents prepared in connection with a
misuse
investigation is presented neutrally and objectively.
We cannot assume allegations are true unless we have
obtained
evidence that proves them; the language and tone of our working papers
should
reflect this concept. Our
working
papers may end up as evidence in a criminal trial; keep in mind how a
defense
attorney might respond to a choice of words or presentation of
information as
you document the results of a review.
Never put anything in the working papers that you wouldn’t
want
to have read
back to you and challenged if testifying in a trial.
For example, instead of referring to something as
“duplicate
payment” use the term “possible overpayment.”
When presenting information from a complaint or misuse
report,
use
qualifiers such as “according to the complainant” or “caller alleged.” Simply stating the claims
may imply a
presumption of guilt.

As
a general rule,
avoid
identifying by name an individual who may be the target of the
investigation or
who made the complaint.

Background
Summary

Briefly
describe the nature of the complaint and whatever information has been
provided or obtained in the early stages of the review.

Conclude regarding whether or not any further investigation by Internal Audit will be needed.

Briefly
describe the nature of
the complaint and whatever information has been provided or obtained in
the
early stages of the review.

Conclude
regarding whether or not
any further investigation by Internal Audit will be needed.

Audit
Program

List the
specific procedures that
will be used to investigate the issue raised in the complaint,
preferably in
the order they will be performed.

Procedures will
often need to be
presented as a contingency. For
example,
“if any payments to XYZ, Inc. are found, obtain copies of documents
supporting
these transactions.”

Close-out
Letter or
Report

Should
identify
the source and
general nature of the complaint, broadly describe the procedures used
to
conduct the investigation, and state whether or not any evidence of
misuse was
found.

Minor findings
do not need to be
stated individually, but we should indicate whether or not we discussed
these
issues with management and whether they agreed to correct any
weaknesses noted.

Significant
findings should be reported individually
and accompanied by recommendations and responses by management.

Complex
investigations or those
that involve significant loses or cross departmental lines may need to
be
reported using the standard report format for routine audits.

In general,
close-out letters or
reports should contain only enough information to allow the reader to
identify
the nature of the allegations and the outcome of Internal Audit’s
investigation. Never
include names of
individuals in these letters or reports.

These
letters
or reports should
be addressed to the Chancellor, with copies to the Senior University
Counsel;
the Provost or Executive Vice-Chancellor (whichever is responsible for
the area
reviewed); the appropriate dean or vice-chancellor, associate
vice-chancellor,
and department head; the Associate Vice-Chancellor for Finance, and the
Chief
of the UNC Police.

When
a misuse investigations is complete, the Office Assistant should
assign a report number and the auditor-in-charge should complete a
Report Entry
Form so the project and be entered into the Findings2000 database. If no written report was
issued, a dummy
report number is assigned and the report date is left blank. If the project report
contains findings, the
auditor-in-charge should also complete a Finding Entry form for each
finding. See
Chapter 16 – Communicating
Results for
additional information.

Once these forms are complete, the auditor-in-charge gives them to the
Director for review.

After
the forms have been reviewed and approved, the Office Assistant
enters them into the Findings 2000 database.
See Chapter 18.